OpenClaw released v2026.4.9 on April 9, its most feature-dense update in recent cycles. The release spans five domains: memory and dreaming, security hardening, QA tooling, mobile pairing, and plugin infrastructure, according to the GitHub release notes.
Memory and Dreaming
The headline feature is a grounded REM backfill system. Old daily notes can now replay into Dreams and durable memory without requiring a second memory stack. The system adds historical rem-harness --path support, diary commit/reset flows, cleaner durable-fact extraction, and live short-term promotion integration, per the release notes.
A new Control UI component provides a structured diary view with timeline navigation, backfill/reset controls, traceable dreaming summaries, and a grounded Scene lane with promotion hints. Users can safely clear grounded signals during staged backfill through a dedicated action, the release detailed.
The practical effect: agents running OpenClaw can now build long-term memory from historical interaction data, not just live conversations. For deployments with months of daily notes, this means an agent’s durable memory can retroactively incorporate context it never processed in real time.
Security Hardening
Four security fixes target common agent exploitation vectors:
SSRF quarantine enforcement. Browser interactions that trigger main-frame navigations from clicks, evaluations, or hook-triggered actions now re-run blocked-destination safety checks. Previously, interaction-driven navigations could bypass the SSRF quarantine when landing on forbidden URLs, the release noted.
Dotenv injection. Runtime-control environment variables, browser-control overrides, and skip-server env vars are now blocked from untrusted workspace .env files. Unsafe URL-style browser control override specifiers are rejected before lazy loading, according to the release.
Node exec injection. Remote node exec events (started, finished, denied) are now marked as untrusted system events. Node-provided command, output, and reason text is sanitized before enqueueing, preventing remote node output from injecting trusted System: content into later turns, the notes stated.
Plugin auth collision. Untrusted workspace plugins can no longer collide with bundled provider auth-choice IDs during non-interactive onboarding, keeping operator secrets out of untrusted plugin handlers, per GitHub.
QA and Evaluation
A new character-vibes evaluation system lets operators run parallel QA comparisons across model candidates with structured reports. This formalizes behavioral consistency testing, allowing teams to verify that agent personas remain aligned across model updates, according to the release.
Android Pairing Overhaul
The Android pairing system was rebuilt to fix persistent connectivity failures. Stale setup-code auth is now cleared on new QR scans, operator and node sessions bootstrap from fresh pairing, stored device tokens are preferred after bootstrap handoff, and pairing auto-retry pauses while the app is backgrounded. The result: scan-once Android pairing works reliably again, the release noted.
Additional Fixes
The release also addresses Matrix gateway stability, Slack media attachment loading, session routing preservation for external channels, and gateway model override handling on reset. The full changelog includes contributions from 12 developers across the project, per the GitHub release.